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[57] ABSTRACT 

A method and apparatus for generating cryptographic 
keys for a postal manifest and for synchronizing crypto- 
graphic keys for transmitting postal data securely on a 
communication link is presented. The techniques for 
generating a key and for synchronizing keys use the 
same apparatus but use slightly different data to create 
a cryptographic key. 

The postal data center maintains a unique set of data for 
each server station. Using this set of data along with a 
manifest sequence number (or communication transac- 
tion number) and the date, a cryptographic key is cre- 
ated. Each server station stores a fixed master key, KO, 
a permutation table, Pt, and ID, and GMT date. Using 
the manifest sequence number (or the communication 
transaction number) a row of the permutation table is 
altered and the master key KO is scrambled with the 
permutation table top get a new key K2. With K2, the 
date, server ID, and manifest sequence number (our 
communication transaction number) are encrypted. The 
result of this encryption yields another key K3. K3 is 
then used for encrypting the postal manifest or for com- 
municating with a postal data center. 

20 Claims, 5 Drawing Sheets 




09/15/2004, EAST Version: 1.4.1 



US. Patent Jun. 19, 




1990 Sheet 1 of 5 4,935,961 

FIG. 1 

L 20 r2i 




HAIL BATCH -n [ 

fi Vj 

MANIFEST ^ 



■22 



POST OFFICE 



09/15/2004, EAST Version: 1.4.1 



U.S. Patent Jun. 19, 1990 Sheet 2 of 5 

FIG. 2 



4,935,961 




PE*ITHJ«ft 
HULEft 



NW-PKFTT tS23.au): AO 



238 

r 

23 



r: 



AUIK TitfK W aJOPC 367SB 
T133H1 BfHM 1 ? IMffl F7T7W 
«ECH ICSffiT 2H ZMQ9B CA7JY6 
ma juasra 31 MAW IU0JI 

DATEPREPAflet. 03/08/31 ' 

COPTHMEft 1. 



■25 

■26 



BKDKDfi SBQAL I I 1 

BBWSBUJLf / 4 

TOTAL PIECES 4 

SSNHVaStBr 0302001 

usps Bfint pom; mm 

WUX DATE: 03/08/88 



BEBSfflDS BAUKE tlODOO.OOO 

TOTAL A00ITIOS $0,000 

POSTAGE USES $0,068 

E«I« BALANCE SSQS.S3 



tern class 



HATE CLASS 



FN 1ST CLASS MDN-ffGSOflT 



— 1 02 — 
» PCS $«ff 



a UP M NOH- PBES0RT 



1ST CUSS PRESORT 



OP CAfKia HTE PRESORT 



IP UP + 4 PRESORT 



SUBTOTALS 



O.OOO 



0.000 



0.000 



0.000 



0.000 



O.OOO 



-201- 
I PCS $ ANT 



0.000 



-301- 
I PCS (tiff 



0.000 



0.000 



0.000 



0.000 



0.000 



0.000 



- TOTAL - 
f PCS t AKT 



O.OOO 



0.000 



0.000 



0.000 



0.000 



0.000 



0.000 



0.000 



0.000 



0.000 



0.000 



AOOmOKAL POSTAGE 
-AOUBDOfT FOPr 
-WKUALIFIBS- 
I PCS 



t AXT 



O.OOO 



0.000 



0.000 



t.000 



0.000 



SACKS 



.TBATS. 



.PALLETS , 



.era. 



II TOTAL PIECES i 
TOTAL EIGHT 0 L8 0 OZ 
TOTAL P0STAEE PAID 1 0.C68 



SIBUMC Cf PBWT H0LDEB Cfl ASBff (BOTH PRINCIPAL AH) AGENT ARE LltHf FOHANY POSTAGE BEFICXEKT DOfflED. 



i&a m^mmam smg mm w. 



rAtKHTcr 



snwTtn; of icae 



BEEN 



OF 
DC 
PAID. 



TDC 



FAU0 5TAMP KgUTflED) 



09/15/2004, EAST Version: 1.4.1 



U.S. Patent jun. 19, 1990 sheet 3 of 5 4,935,961 

FIG. 3 

j-30 

GENERATE SEQUENCE 
NUMBER Tj 



i e!L 

SELECT ROM OF 
PERMUTATION TABLE 



i 

SCRAMBLE MASTER KEY 
Kq WITH SELECTED 
ROW TO GET KEY Kj 



r 33 



EXPAfffl Kl TO 64 
BITS USING GROWTH 
TABLE TO GET KEY K2 




r 34 



ENCRYPT DATA WITH 
K2 USING DES TO 
GET K3 



DATE 



ADJUST FOR PARITY 



KEY FOR ENCRYPTING 
MANIFEST USING DES 



09/15/2004, east version: 1.4.1 



US. Patent jun. 19, 1990 sheet 4 of 5 4,935,961 



I — o 

I t 



CO 
M 



£3i 



CD 



Kg 



K 

if? 



3ss 



a*: lu lu 

UJ I— I -KC I 



cnccco cd 



IS 



09/15/2004, EAST version: 1.4.1 



US, Patent jun. 19, 1m sheet 5 of 5 4,935,961 

FIG. 5 



Si- 
D* 



I 



76 



DERIVE K? 
FROM Ti 



Ti. S 



■79 



K3> DES EK 2 (D.Si) 



I 



BO 



Vi» DES EK3(DATA) 



OR 
ROUTINE 




DERIVE K? 
FROM Ti^ 



j: 



78 



K> DES EKJ(D,Si) 



I 



81 



DATA'- DES DK^(Vi) 



'Si 
■ D 




I 



83 



ERROR 
ROUTINE 



V- DESE|^(DATA") 



09/15/2004, EAST Version: 1.4.1 



1 2 
METHOD AND APPARATUS FOR Tm fa accor / iance invention, the data center and 

genehationX)1SJ^Si™of ST ^ Bto ? 811 identical 32 bit ma,ter ^ Remote 

CR YPTCX?R APWirvv^K OF recharging postage systems conventionally employ a 

TYPOGRAPHIC KEYS master key of 64 bits, 32 bits of which are fixed and I 32 

Thfamventionrdates 'tothesynchroiu^tionofcryp. 5 nnipr^tf^^h^*^ vary in accordance with certain rules. In 
tographic keys generated at two or more lo«K Z^T^l ST "1 "?? rem0te . rechar ^ 
without the necessity of passing information beTwee^ T ' I J"* ° f the mvention prefcra ' 

the two locations that could lead to tSStaddS V ^P 0 ^ ^ the 32 fixed bits of the master key of 
mination of the cryptographic keys generated at the 10 ?'T* «chargmg system. There is no need, however, 
locations. While the mvention is especially adaoted to invention to be used in conjunction with such 

and will be specifically disclosed herein, with respect to ^ gC systems 

the provision of a method and apparatus for synchroniz- ^ y server ' a unic l ue t0 that 

ing and/or resynchronking the generation of identical 1110 data centcr my service a Iar 8 e num- 

cryptographic keys at the server station and data center 15 ^ ^ data must store the correspon- 

of a postal system adapted to monitor the mailing of between the ID of each server and its master key. 

batch mail, it will be apparent that the invention is not ^ Upon bemg infonned ot an ID, the data center can 

limited to this application. retrieve the corresponding master keY. 

A server is a mailing machine, for example, for mak- Thc server and data center each include a real time 
ing batch mail, wherein a batch of mail is assembled 20 ' ?° the timc of of the manifest can be 
with a manifest, which serves to identify the contents of det ennined. This clock preferably outputs the time as 
the batch to the post office. The manifest has imprinted GMT ' *°. that thc issue time and date is independent of 
thereon 20 information such as the quantities of differ- the location or> the server. 

ent classes of mail in the batch, etc In addition, the "^5 server and tne data center each also have stored 
manifest carries an encrypted verification number to 25 tberein 8 p column by N row permutation table, 
enable the post office to verify the manifest and its wherein C is an integer corresponding to the bit length 
accuracy. Each server has an identification number ID of me flxed master key and N is an integer of arbitrary 
(which may be alphanumeric), and the batches assem- len Sth. This permutation table (which may be unique to 
bled by each server are identified by sequential run the server) is used to derive a string Ki from the master , 
number T. The ID and run number are printed on the 30 ^ of corresponding length. The row of the table 
manifest, as well as the date that the manifest was is- that is for calculation at any time is a function of 
sued. the transaction number. Each row of the table has a 

The system further includes a data center operated, number from I to 32 stored at each column, each col- 
for example, by the Assignee of the present application, ""n corresponding to a bit position of the master key 
that maintains information concerning each server, so 35 ^ The string K| derived from the permutation table is 
that the post office can call the data center to verify thus a string of 0"s and 1 *s corresponding to the data at 
each batch that it receives on the basis of information the bit positions of the master key Ko as identified se- 
pnnted on the accompanying manifest. quentially by the numbers stored sequentially in the 

A problem involved in such a system arises in the columns of the row of the permutation table corre- 
aifhculty of maintaining cryptographic keys used in the 40 spending to the current transaction number. The total 
encryption and decryption of the manifest data. While number of rows N is selected to enable the use of the 
the manifest keys, and the identity of the corresponding table for a time commensurate with the expected usage 
servers, may be stored directly at the data center, this of the table. Preferably the table is not stored as a com- 
teenmque is cumbersome and requires the storing of an P^te table but in algorithmic form. Thus, preferably 
extremely large number of keys at the data center, while 45 data corresponding to one row of the table is stored 
still not permitting simple modifications of the keys for along with a secure algorithm for the development of a 
iwreasmg the security of the system. modified row corresponding to the current transaction 

Anoraer problem involved in such a system is se- number. Storage in this manner provides increased se- 
curely communicating information between the data curity since the full permutation table is not readilv 
center and the server across a data link. To keep this 50 identifiable by examination of the memory. ApoUcants 
information secure, it is encrypted using the Date En- note that references to selection of a row of the permu-' 
£25°!! 5^ ^ 8 Geographic key , tation table in accordance with the transaction number 

stored by both the data center and server. A further and permutation of the master key accordingly are 
5™ b ^™ m "nn^jtog J the key (for the first time) logically equivalent to references to generation of a 
^ ^ f 18 , ^ P^ 0 ^ 1 ^ to increase 55 particular permutation in accordance with an algorithm 

^,?K,f? 8 -. *?™ T05S *e data link is not based on the transaction number and permutation of the 
acceptable since .could be intercepted and all future master key accordingly, and that suchlogically eauiva- 
transnussions could be decrypted by an information lent selection is preferred as proving ; S2ed ^ 

Th;. « a ui ... nt y against direct examination of the system memory. 

k^ST" PTObICm , " ^ * y ^8 a " chan 8C 60 If the master string is shorter than 64 bits, eg. 3 7bUs 
JSUSTf P"" ° ^r 0 ^ 011 and cm " **«ver ^ data center may further incIudetgrowS 
&h*£ SlEFt ? ra T d, * n! a °° for expanding the string K, to a 64 bit £E r? 

GrLw,c^^ thc ? ™« ™" necessary for compatibility 52 key 

ureenwicrj Mean Time (GMT) date and information with conventional DES encoding techniaues Th«t»hil 
contained m the server and data center. Hence, with 65 may be a list of 64 numbers, ea^fa of the n^rlrf b^m H 

string k 2 is a 0 or 1, depending on the data at the bit 
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position of the 32 bit string Ki identified by the number 26, i,e. the sequential number of the current batch in a 

in the list aeries of batch mailings by the server. 

In accordance with the invention, identical encryp- Upon receipt of the batch and corresponding inani- 
tion keys can be generated at the server and the data fest, the post office, in normal procedure, communicates 
center without the necessity of communication of en- 5 with the data center 21, which may be a commercial 
cryption information between the server and data cen- organization such as the assignee of the present applica- 
ter, in the following manner. tion, and advises the data center of the identity of the 

1. The server determines the row of its permutation server that issued the manifest and the manifest run 
table to be used in the calculation, on the basis of the run number as well as a portion 23a of the block 23 of the 
number. The row to be used may correspond directly to 10 encrypted numbers. The data center incorporates en- 
the transaction number. cryption/decryption programs and data, the same as 

2. Using the selected row, the server develops a 32 bit employed by the server, and upon receipt from the post 
string Ki from the permutation table and the master key office of the identification of the server and the run 
Ko, assu m i n g that the master key was a 32 bit key. number can regenerate further information appearing 

3. Using the growth table, the server develops a 64 bit 15 011 manifest, or upon receipt of such further infor- 
string K.2 from the 32 bit string Ki, and, if necessary, mation, can regenerate the encrypted numbers. If neces- 
adjusts for parity. sary, upon receipt of the entire block of encrypted num- 

4. The server now encrypts the date from its clock, its bers » the data center can regenerate for the post office 
ID number, and the run number, with the 64 bit string 311 of on tbe manifest that has been encrypted, 
K 2 , to produce a 64 bit encryption key K 3 . The encryp- 20 for verification purposes. 

tion may employ the data encryption standard DBS. Further data on the manifest is of a conventional 

5. The encryption key K 3 may be adjusted for parity. "ature. and need not be discussed herein. With respect 
Those skilled in the art will recognize that the DES to d* 1 * ccnter ' Jt a of course apparent that it is 
standard DES encryption algorithm treats one bit in necessary for the data center to maintain a record of the 
every byte of the received key as a parity bit and makes 23 various tables ' etc - employed by each of the serv- 
actual use of only 56 bits of the key for encryption. f 13 associated therewith, so that upon receipt of the 
Accordingly by "adjusted for parity herein" is meant ld entification of a server and the transaction number, 
setting the eighth bit in every byte of the key in accor- .pertinent material for encryption and decryption is 
dance with a preselected odd or even parity. , ft , f or use - n 

6. The data center receives the ID number and the . , 3 i UIustrates a n ° w diagram showing the genera- 
run number, which are printed in plain text on the mani- tt0n of a kev m accordance with ^ invention for use in 
fest, selects the appropriate master key Ko and permuta- ^cryption or decryption process. In accordance 
tion table for the identified server, and duplicates steps the in vention, at block 30, a sequence number T, is 
two through five generated m order to determine the row number of the 

In order that the invention may be more clearly un- " P cnnul ; tion t * ble that » *° be employed in a given 
derstood, it will now be disclosed in greater SKJSi ZSZfTf decr ^° n - When the ™*»" T ' jf de- 
reference to the accompanying drawings, wherein: T f ° fT' *" S ? may C °T^ te thC 
■ FIG. lis a simplmed block diagram of for Wrf»"«^to access the next ^vailable row of the 
monitoring the mailing of batch JZ? ^ M permutation table stored therein. When the number T; is 

FIG. 2 is an example of manifest that may accompany 40 £^i^ ^ * ^ 

a batch of mail; ^ * thereto from the post office upon inspection of a mani- 

FIG. 3 is a flow diagram iUustrating the generation of ^2?! ?^ u ™» tio " ™V ** orai - 88 desired. 

a cryptographic keyTaccordance 4h the h^enaon; ^JS^S^l^^f- "T^*, m 

Fin A. ;« a Mr^t „r - „-* .1 " ' ' ot the permutation table corresponding thereto is se- 

i*" \H °? r S a , gram / ° f asv^thatmay be 45 lected, at blwk 31. The master keVKo is then scrambled 

£^ ™? /OT dEta CeQ ^ f a i« accordance with the selected rowofthe table, to get 

r^^/^f^T ° f 2 "yP^P™ 0 toy* the key K lt as indicated at block 32. If it is necessary^ 

SrlT n« h *S * ■ u "P^ the R i «> ™der it adaptable for iiiewtth an 

„£S' J * diagram dlustratmg a method for encryption standard such as DES, the key K,is e^ 

checking the accuracy of the generation of identical 50 P ande4 by the use of a growth table, * Mock 33, to 

TffiSn^^^T* . . . . Produce the key K 2 . In orfer that the finally K o° 

mc^ZSZm * 2? Wn8S -f ndin P artl ? : 'i arto continually varied, one or more data inputs such as the 

FIG. Lthereui is illustrated a postal system including a sequence number T, and/or the date D, and/or he 

5 if T ^-?r d y 0 ?*? 22 *., The S?«tification number S,of the server, are en^ed £ 

S^if.SfTf rf .^ th J^«. fo / ba ^niailing, 55 the K2, employing DES. This result K2 is thenadjusted 

■^STSi^ 6 . ^^^^^fo^edtothe forparityatblockSStoproducethekeyKaforencrypt- 

post office 22, atong with a manifest providing detail of ing the required data on the manifest employingfor 

the contents of the batch, e.g. the totals of different example the DES 

types of mail an d different classes of mail, and postage A suitable system for generating a key, in accordance 

required for the 1 mailing of the batch. In order to verify 60 with the invention, is illustrated in FIG. 4. While this 

the manifest, the manifest has imprinted thereon an system is especially adapted for use in a server, it will be 

encrypted number which, when decoded, should verify apparent that conceptually the blocks thereof are also 

the various data imprinted on the manifest A typical adaptable for application to the data center. The system 

manifest for this purpose is illustrated in FIG. 2, incorporates a central processor 40 of conventional 

wherein a block 23 of characters represents an encryp- 65 construction, for example, a microcomputer havina 

tion of various data on the manifest The manifest fur- address, data and control buses 41, 42 and 43 respec- 

ther includes an identification number 24 of the server, tivelY. A nonvolatile memory 44 stores the master key 

the data of issue 25 of the manifest, and the run number . Ko, a permutation table P c and a growth table Gt 
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Preferably the table Pcmay be stored in the form of an synchronization exists between the server and the data 

initial row and a simple, secure algorithm, based on the center 

transaction number, to generate further rows of the In accordance with the subject invention, a server 

*l' h n a * c m J m ° ry J M 1 nee ? a0t l . storc 1 W1 data center are provided, which each include: 

r^mutotoon table. The particular algorithm selected to 5 1. An identical master key Ko stored in memory. As 

SS^SS^* V*?***™ «£» " ab °vc discussed, this may be a 32 bit key for conve- 

mventl ? a * » Ion » 88 rt » kept » ^tal systems, or it may have any other num- 

^ive ~ T 7^ °f n0 ^ ^ ^ of bite - This key is a secure number, i.e. its identity 

M?£ZJI5 dements in succes- must be maintained in the equipment or by authorized 

^£^5? row,, the pairs being selected in accor- 10 personnel in complete secrecy. 

mS^^J^T^ 11 nUmbCr ; J"™ technique 2 - An identical permutation table. The permutation 

STS 1 2 TScIS^ f0f table, an example of which is illustrated in Table 1, has 

orovided a/fl S^f* 5^ ""S' 45 ta as many columns C as there are bits in the master string 

X^mnrv^ ; t . P «4- , to be encoded, e.g. 32 in the present example. The table 

thl^m^^Z^r^^ SCn ?T n ? f 13 ^ an arbitrary number N of rows, the number N pref- 

cryption and decryption. For example, an Advanced ^T^l h ?ransaction that can be expected ui 

™ ™ ■ ^ * rovers a^t?^" 

The system of FIG. 4 further includes a real time T^Tt ? ^f^ 0 ™ ° f ^ f™ 8 10 
clock 48 providing an output of the da* nW u«n Z ^ ^'P^™ti^» «ed herein, it is 

GMT time, ^addition, the central proc^sTL "^^teeachrftte™ to 32 to be 

nected to a working memory 49, a prh?2r^50?com- 25 "* d °P Ucatlon °f numbers » hen « 

munication port 51, and a CRT and keyboard 53 to * - . " . 

enable manual input and output to the micro^ompm^ w^T* ^ £f ^ ^ 

as well as display of the operation of the system The ^ i !5^ i ^^ ) ^?J! fiaeM . nm 
printer I/O 50 is coupled to a printer 53 for printing the ^"^5? t ♦ Position of the new string corre- 
manifest, and the communications port SI may be con- 30 E? Jh^IS P ? tWn °, 

nected to a modem 54, to enable communication be- 8 at ^ COrreS P° Qdm 8 coIunra of the 

tween the server and other device, such as the data ^ * r • \ >u L , _ 

center via a communication link 55 111118 referring to the permutation table of Table I, 

On occasion, it may be necessary to verify that identi- J™^,?? *° W 2 St*? Selectcd ' first bit of 
cal codes are being generated by the server and the data 35 32 ^ Stn f 8Wl11 ^e same as the bit at the 

center. A program for effecting such verification is ^^P^onof the master key, the second bit of the 
illustrated in FIG. 5, wherein steps may be effected ^ W 32 . blt strm 8 wlU ^ *** «*» « the bit at the 27th 
externally of the server and data center, and do not Position of the master key, the bit at the third bit 

directly form a part of the present invention. As iUus- °J. *** *? e . w at ?f wU1 the same as the bit at 

trated, based on a selected transaction number T/ at 76 40 tt blt P° Mtlon of 1116 master stnn «. e *c- 

the server generates a key K2 in the manner described TABLE 1 

above, and based upon the same transaction number, at column 
77 the data center generates a key K'2 in the same man- 
ner. (As used herein "transaction numbers" identify 
particular communications between a server and the 45 
data center. It will be recognized that transaction num- 
bers are used equivalently to "run numbers" to generate 
keys.) At 79 and 78 respectively the keys K 2 and K'2 are 
employed to encrypt the date D and server number Si- 
employing DES to generate keys K 3 and K'3. A mes- 50 
sage V/ is generated by encrypting predetermined 
DATA at 80 with key Kj. V,is transmitted to the center 
and decrypted using key K' 3 at 81. A communication While the permutation table may be stored in the 
link, as shown m FIG. 5, may be employed for transmit- systems in the form of a table, the invention also con- 
ting the transaction number T; server ID, S, and en- 55 templates algorithmic storage of less information than 
cryptcd data V, from the server to the data center. The the complete table, along with suitable algorithms for 
decryptoon of message V f , DATA', is then compared at deriving the required data of any row. Thus, the first 
.S* ^ * predetermined DATA, which is also row may be stored in memory, along with an algorithm 
stored in the center. If a comparison does not exist, an for modification of the first row in accordance with the 
error has occurred and a request may be made to re- 60 identity of the transaction number, to derive the data of 
cneck the calculations. If a comparison is made, then the row corresponding to the transaction number 
predetermined DATA (which may be equal to The particular choice of algorithm for modification 
DATA) is encrypted with the use of the key K' 3 at of the first row is not critical and its selection is not a 
block 83 to generate encrypted message V/' and passed limitation of the subject invention. For example, as is 
via a communication link for decryption in a DES de- 65 shown in FIG. 1, selected pairs of cells may be inter- 
crypuon step at the server at 84 employing the key K 3 . changed cyclically in accordance with Ti 
The result is compared with the DATA' stored at the 3. If necessary in the system, a growth' table for ex- 
server at block 85. If a comparison exists, then complete panding or diramislung the number of bits of the key 





1 


2 


3 


4 


5 


6 


7 


8 


9 10 


32 


t 


3 


27 


13 


13 


18 


■7 


4 


2 


1 30 


5 


2 


2 


27 


13 


18 


13 


7 


4 


2 


1 30 .. 


J 


3 


3 


27 


13 


18 


IS 


4 


7 


2 


1 30 


5 


4 






















3 






















N 























09/15/2004, EAST Version: 1.4.1 



4,935,961 



from Ki to K2. When a master key of 32 bits is em- 
ployed, for example, and it is necessary to expand the 
key to 64 bits for use in DES encryption, a table such as 
shown in Table 2 herein may be employed. 

TABLE 2 



8 



Bit Position 



Bit Position Of K| From Which Data 
For K] Is Derived 



64 



10 



15 



30 



35 



When a growth table as shown in Table 2 is em- 
ployed, it is evident that the first bit position of K2 will 
have the same data as that at the 31st bit position of Kj, 
the second bit position of K2 will have the same data as 20 
that at the fifth bit position of Ki, the third bit position 
of K2 will have the same data as that at the first bit 
position of Ki, etc. 

While the invention has been disclosed and described 
with reference to a minimum number of embodiments, it 25 
will be apparent that variations and modifications may 
be made therein, and it is therefore intended in the fol- 
lowing claims to cover each such variation and modifi- 
cation as falls within the true spirit and scope of the 
invention. 

What is claimed is: 

1. A method for generating encryption keys for a 
sequence of messages comprising the steps of: 

(a) determining a sequence of N different encryption 
keys; 

(b) associating a value of a sequence variable T„ with 
each of said messages; and 

(c) selecting one of said N encryption keys as a func- 
tion of said variable Tf for each of said messages 
and encrypting at least a portion of each of said 40 
messages in accordance with an encryption key 
derived in a predetermined manner from the corre- 
sponding one of said selected keys; and wherein 

(d) said step of selecting one of said encryption keys 
produces results identical to the steps of: 
(dl) storing a fixed master key Ko having C ele- 
ments; 

(d2) storing a permutation table, said table having 
C columns and N rows, the columns of said table 
sequentially corresponding to the element posi- 
tions of key Ko, the elements of said table con- 
sisting of numbers from 1 to G; and 

(d3) selecting a row Nt of said table in accordance 
with said variable Tr, and - 

(d4) scrambling key K 0 to derive an encryption key 55 
Kj, having C elements, by, for all of said ele- 
ments of Kj, setting the jth element of Ki equal 
to the yth element of Ko, where y is the number 
at column j, row N/ of said permutation table, 
where j is an integral variable ranging from 1 to 60 
C. 

2. The method of claim 1 further comprising expand- 
ing Ki in a predetermined manner to derive an ex- 
panded encryption key Kz. 

3. The method of claim 2 further comprising adjacent 65 
K2 for parity. 

4. The method of claim 2 further comprising modify- • 
ing K2 to form an encryption key K3, said step of modi- 
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fying comprising encryption variable data with K2 to 
generate K3. 

5. The method of claim 4 wherein said step of en- 
crypting variable data comprises encrypting a sequence 
dependent variable. 

6. The method of claim 2 further comprising modify- 
ing K2 to form an encryption key K3, said step of modi- 
fying comprising encrypting variable data with K2 to 
generate K3. 

7. The method of claim 6 wherein said step of en- 
crypting variable data comprises encrypting a sequence 
dependent variable. 

8. The method of claim 1 further comprising storing 
said permutation table in algorithmic form. 

9. A method for synchronizing the generation of an 
encryption key K3 at first and second stations compris- 
ing the steps of: 

(a) providing identical sequences of N different en- 
cryption keys at said first and second stations; 

(b) selecting a value for a variable Tr, 

(c) selecting one of said N encryption keys in accor- 
dance with said selected value and a predetermined 
function of said variable T/ at each of said first and 
second stations to obtain encryption keys Ki and 
K'i respectively; 

(d) encrypting a block of data D at said first station 
using an encryption key derived in a predetermined 
manner from said key Ki to generate a message Vi; 

(e) providing the plain text of said block D at said 
second station; 

(0 transmitting said message V; from said first station 
to said second station; 

(g) decrypting said message V/ using a key derived 
from said key K'i in said predetermined manner to 
provide a block of data D; and, 

(h) comparing said data D and data D' to verify syn- 
chronization at said second station. 

10. A method as described in claim 9 comprising the 
further steps of: 

(i) encrypting a block of data D" at said second sta- 
tion using said key derived from key K'i to gener- 
ate a message V/'; 

0) providing the plain text of said block D" at said 
first station; 

(k) transmitting said message V/' to said first station; 
0) decrypting said message V/' at said first station 

using said key derived from key K] to obtain a 

block of data D'"; 
(m) comparing said data D'" and data D" to verify 

synchronization at said first station. 

11. The method of claim 9 wherein said predeter- 
mined manner of generating further comprises expand- 
ing K| and K'i in a predetermined manner at each of 
said stations, to form identical keys K2 and K'i. 

12. The method of claim 11 further comprising modi- 
fying K2and K'2flt each of said stations to generate keys 
for encryption and decryption of said blocks D and D' 
by encrypting identical variable data with K2 and K'2. 

13. The method of claim 12 wherein said step of en- 
crypting identical variable data comprises encrypting 
data identifying said first station. 

14. Apparatus for generating encryption keys for a 
sequence of messages comprising: 

(a) means for determining a sequence of N different 
encryption keys; 

(b) means for associating a value of a sequence vari- 
able, Ti, with each of said messages; and 
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(c) means for selecting one of said N encryption keys 
as a function of said variable TV for each of said 
messages and encrypting at least a portion of each 
of said messages in accordance with an encryption 
key derived in a predetermined manner from the 5 
corresponding one of said selected keys; said se- 
lecting means further comprising, 

(d) means for selecting one of said N encryption keys 
so as to produce results identical to the steps of: 10 
(dl) storing a fixed master key Ko; 

(d2) storing a permutation table, said table having 
C columns and N rows, the columns of said table 
sequentially corresponding to the element posi- 
tions of key Ko, the elements of said table con- 15 
sisting of numbers from 1 to C and 

(d3) selecting a row Nj of said table in accordance 
with said variable Tr, and 

(d4) selecting key Ko to derive an encryption key 2 o 
Ki, having C elements, by, for all elements of Kj, 
setting the jth element of Ki equal to the yth 

■ element of Ko, where y is the number at column 



10 

j row tyof said permutation table, where j is an 
integral, variable ranging from 1 to C. 

15. The apparatus, of claim 14 further comprising 
means for expanding Ki in a predetermined manner to 
derive an expanded encryption key K2. 

16. The apparatus of claim 15 further comprising 
means for modifying K2 to form an encryption key K3, 
said modifying means comprising means for encrypting, 
variable data with K2 to generate K3. 

17. The apparatus of claim 16 wherein said means for 
encrypting variable data comprises for encrypting a 
sequence dependent variable. 

18. The apparatus of claim 15 further comprising 
means for modifying K2 to form an encryption key K3, 
said modifying means comprising means for encrypting 
variable data with K2 to generate K3, 

19. The apparatus of claim 18 wherein said means for 
encrypting variable data comprises means for encrypt- 
ing a sequence dependent variable. 

20. The apparatus of claim 14 further' comprising 
means for storing said permutation table in complete 
form. 

***** 
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[57] ABSTRACT 

A system for securely distributing a communications key 
from a master unit to a remote unit for use in cryptographic 
communications between the master and remote units 
employs first and second secret numbers stored in both the 
master and remote units, and a random number generated in 
the master unit which is combined with the first secret 
number to produce a first intermediate number which is in 
turn combined with the second secret number to produce a 
second intermediate number. The second intermediate num- 
ber is combined with the communications key to produce a 
transmission number sent with the random number to the 
remote unit The remote unit, using the random number, the 
transmission number, and the first and second secret num- 
bers, is able to reproduce the communications key. A method 
for securely distributing the communications key from the 
master unit to the remote unit is also provided along with a 
system and method for authenticating the identity of any one 
of a plurality of remote units in communication with the 
master unit, whereby each remote unit stores first and second 
secret numbers unique to it, all of which secret numbers are 
also stored in the master unit. 

31 Claims, 5 Drawing Sheets 
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KEY DISTRIBUTION SYSTEM 



HELD OF THE INVENTION 

This invention relates to a system and method for securely 
distributing a communications key from a master system to 
a remote system for use in cryptographic communications 
between the master and remote systems. 



BACKGROUND OF THE INVENTION 

In today's age of communications, the use of cryptogra- 
phy is becoming increasingly important to protect confiden- 
tial communications between a sender and a receiver trans- 15 
mitted over public or easily accessible communications 
channels such as telephone lines, satellite links, wireless 
networks, cellular phone systems, etc. The basic idea of 
cryptography is to first scramble or encrypt the private 
message, and then send the encrypted message over the 20 
communications channel to the receiver where the message 
is then decrypted and read. If the encrypted message is 
intercepted by an unauthorized party and cannot be 
decrypted, it will be unintelligible. 

In key-based encryption systems, the message to be sent 
is encrypted with a **key" or "communications key" which 
is a code known only to the sender and receiver and is not 
known to other unauthorized parties who may try to inter- 
cept the encrypted message. If the sender and receiver 
possess and agree to use the same key, the sender can 
encrypt the message with the communications key and send 
the unintelligible, encrypted message over the communica- 
tions channel to the receiver, who can then decrypt the 
message using the same communications key used by the 
sender to encrypt the message. 

In 1977, the United States National Bureau of Standards 
decided on a defined encryption algorithm known as the 
Data Encryption Standard (DES), which is now the standard 
for the encryption of certain classes of data. DES encryption 
is currently used by federal agencies as well as by private 
companies in areas such as electronic banking and money 
transfer. DES encryption works with a user-supplied data 
encryption key with a word length of 56 bits. The encryption 
key, which must be known by both the sender and receiver 
of the message, is used to encrypt the message, which then 
appears as an apparently random sequence of unintelligible 
bits. Since both the encryption and decryption procedures 
used with DES are publicly known, maintaining the secrecy 
of the encryption key is imperative when using any DES 
encryption system Today there are commercially available 
integrated circuits which can implement the DES encryption 
and decryption procedure. 

As with DES encryption, one of the largest problems 
encountered in any key-based encryption system is the need 
to keep the key secure. One solution is to frequently update 
the communications key such that even if one key is 
recovered by an unauthorized user, a subsequent key change 
will not allow decryption of subsequent messages, lb this 
end, many different methods of key distribution have been 
devised. 

In one widely-used method of key distribution, a human 
courier or "trusted friend" can be used to physically distrib- 
ute new keys to the remote systems on a periodic basis. This 
method can be problematic, however, if the confidence of 65 
the trusted friend is compromised or the key is intercepted 
along the way by an unauthorized party. 



Another type of key distribution system is known as a 
public key system in which the communications key need 
not be physically distributed or even agreed on in advance 
by the sender and receiver. In such a system, User A 
s publishes a public encoding key E A to all users of the system 
and keeps private a decoding key D A , whereby D^^CM))^ 
M. where M is the message to be sent, E A (M) is the 
encryption of message M, and D^^fE^fM) is the description 
of encrypted message M. In such a system, however, User A 
10 must not publicly reveal D A when showing E^, and the 
decoding key D A must not be computable from encoding key 
E,. Using this system, User B, who desires to send a 
message to User A, can look up the encoding key E A of User 
A which is published. User B then uses E^ to encrypt the 
15 message to be sent to User A. Upon receipt of the encrypted 
message, User A can quickly decode the message whereas 
other users or unauthorized parties who do not possess D^ 
cannot easily ascertain the message from the published E A . 
This system is extremely slow, however, when used to send 
large messages due to its reliance on intensive computations 
needed to decrypt the message. 

Another key distribution system, known as double 
encryption, is disclosed in U.S. Pat, No. 5,029,207 to 
Gammic. In this system, an external security module for a 
television signal decoder is provided in which the key to be 
sent is encrypted using two secret serial numbers known 
only to the master and the particular remote subscriber. The 
key used to descramble the program signal is first encrypted 
with the secret serial number of the remote unit's replace- 
able security module, and then encrypted again with the 
secret serial number of the remote unit's decoder. The 
decoder then uses its two secret serial numbers to work 
backwards and decrypt the key, which it then uses to 
descramble the program signal. 

U.S. Pat. No. 5,146,498 to Smith discloses a method of 
remotely changing the encryption key where an original key 
is stored in a remote unit, and the master unit sends a signal 
to effectuate a key change based on operations performed on 
the original key. The key itself, however, is not sent, but 
rather the new key is generated as a result of mathematical 
operations on the original key initiated from a key change 
command sent from the master unit. 

U.S. Pat. No. 4,731,840 to Mniszewski et al. discloses a 
method for encrypting and sending digital key data using 
DES encryption. Each remote unit used in the system 
contains a set of key-encryption keys indexed by a common 
system The master unit, upon request from the remote unit, 
generates a key and encrypts it with a preselected key- 
encryption key. The encrypted key and an index designator 
is sent to a remote unit wherein the key is decrypted to 
reproduce a data encryption key. 

Other systems, such as that disclosed in U.S. Pat No. 
5,159,633 to Nakamura, use combined public and secret key 
encryption systems. In Nakamura, storage information is 
encrypted with a public key system while real time trans- 
mission data such as a video signal is encrypted with a secret 
key system. 

FIG. 1 shows another example of a prior art key encryp- 
tion system that includes a central or master unit 100 and a 
remote unit 120. At master unit 100, a new key 102 is chosen 
by a random number generator (RNG) 103 to serve as the 
communications key and must be safely transferred to 
remote unit 120 over communications channel 111. To this 
end, master unit 100 generates and then encrypts the new 
key 102 with a master key 122 of remote unit 120, using 
DES encryption unit 104 to thereby generate encrypted key 
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110. Encrypted key 110 is then sent to the remote unit 120 
which will then decrypt encrypted key 110 using DES 
encryption unit 105 and master key 122 to recover new key 
102. New key 102 is then used as the new communications 
key for subsequent communications between master unit 
100 and remote unit 120. 

This system, however, is subject to attack as follows. 
First, the attacker intercepts and records the first message 
sent to remote unit 120 which contains the encrypted key 
110. The attacker then records subsequent messages sent 
encrypted with new key 102. The attacker can then break the 
code on subsequent messages and recover new key 102. 
With new key 102 now obtained, the attacker can decrypt the 
first message and recover master key 122. With knowledge 
of master key 122, all subsequent messages are vulnerable 
to interception. 

Other data encryption techniques are used by the cellular 
phone industry to protect not only communications between 
callers, but to protect the security of identification numbers 
of remote cellular phones subscribing to the particular 
system. However, the present systems that attempt to main- 
tain the secrecy of the remote phone's identification number 
are subject to attack. Currently, when a cellular phone is 
used, it must first establish initial contact with the base 
station. When the initial contact is made, the remote cellular 25 
phone is then interrogated by the base station in order to 
obtain the cellular phone's identification number. This iden- 
tification number is then used by the cellular phone system 
to invoice the customer for the call. However, attackers can 
intercept the initial transmission and determine the remote 
user's identification number, which they can then proceed to 
install in a cellular phone of their own which can now be 
used or sold. Calls made from this "imposter" phone will 
then be billed to the original subscriber. This type of cellular 
telephone fraud has swamped the phone companies with 
requests for new telephone numbers and for billing refunds 
from cellular users, resulting in the loss by the phone 
companies of significant amounts of money. 

Accordingly, in any situation in which communication 
between a sender and a receiver must be kept confidential, 
there is a need to provide a key encryption system that is 
relatively easy to implement and less vulnerable to attack by 
unauthorized parties. There has been a long felt need to 
provide such an improved key encryption system which is 
extremely secure and nearly impossible to break and decrypt 45 
subsequent communication keys. There is also a need to 
provide an improved encryption system that will prevent 
cellular phone fraud and fraud in similar types of systems by . 
authenticating the identity of the remote unit 
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The present invention meets these above needs. Accord- 
ing to one aspect of the present invention, there is provided 
a method for securely distributing a communications key 
from a master unit to a remote unit. The method includes the 53 
steps of: 

(a) storing first and second secret numbers in the master 
and remote units; 

(b) generating a random number and storing the random 
number in the master unit; 

(c) combining the random number with the first secret 
number to produce a first intermediate number in the master 
unit; 

(d) combining the first intermediate number with the 
second secret number to produce a second intermediate 
number in the master unit; 
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(e) combining the second intermediate number with the 
communications key to produce a transmission number in 
the master unit; 

(f) transmitting the transmission number and the random 
number from the master unit to the remote unit; 

(g) receiving the transmission number and the random 
number in the remote unit; 

(h) combining the random number with the first secret 
number to recreate the first intermediate number in the 
remote unit; 

(i) combining the first intermediate number with the 
second secret number to produce the second intermediate 
number in the remote unit; and 

(j) combining the second intermediate number with the 
transmission number to produce the communications key in 
the remote unit. 

The method preferably includes the step of combining the 
first intermediate number with the second secret number in 
the master and remote units by the step of encrypting the first 
intermediate number using the second secret number as the 
encrypting key. More preferably, this encrypting step com- 
prises DES encryption. 

In preferred methods, the step of combining the random 
number with the first secret number in the master and remote 
units includes the step of exclusive OR-ing the random 
number with the first secret number; the step of combining 
the second intermediate number with the communications 
key; in the master unit includes the step of exclusive OR-ing 
the intermediate number with the communications key; and 
the step of combining the second intermediate number with 
the transmission number in the remote system includes the 
step of exclusive OR-ing the second intermediate number 
with the transmission number. 

Preferably, steps (b) through (j) are repealed on a periodic 
basis to change the communications key, with a preferred 
periodic basis being about every hour, or more preferably 
less than every 1 5 minutes, or most preferably, every three 
minutes. The method may also include the step of securely 
loading the first and second secret numbers from the master 
system to the remote unit. 

The present invention also provides a system for perform- 
ing the method. A still further aspect of the present invention 
provides a method for authenticating the identity of a remote 
unit in a plurality of remote' units in communication with a 
master unit, where the master and remote units have stored 
therein first and second secret numbers identifying the 
remote unit. The authenticating method includes the steps 
of: 

(a) storing in each one of the plurality of remote units first 
and second secret numbers, the first and second secret 
numbers in one remote unit being different than the first and 
second secret numbers in any other remote unit; 

(b) storing in the master unit the first and second secret 
numbers of the plurality of the remote units; 

(c) establishing initial contact between the master unit and 
a selected one of the plurality of the remote units; 

(d) providing a random number to the master unit; 

(e) transmitting the random number from the master unit 
to the selected remote unit; 

(0 processing the random number in the selected remote 
unit with the first and second secret numbers to generate a 
remote processed number; 

(g) processing the random number in the master unit with 
the first and second secret numbers to generate a master 
processed number, 
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(h) transmitting the remote processed number to the 
master unit; and 

(i) comparing the remote processed number and the 
master processed number in the master unit, wherein the 
identity of the selected remote unit is authenticated when the 5 
remote processed number is equal remote unit is authenti- 
cated when the remote processed number is equal to the 
master processed number. 

Preferably, the step of processing the random number in 
the selected remote unit includes the steps of combining the 
random number with the first secret number to generate a 
remote intermediate number and combining the remote 
intermediate number with the second secret number to 
generate the remote processed number. Further, the step of 
processing the random number in the master unit may 15 
include the steps of combining the random number with the 
first secret number to generate a master intermediate number 
and combining the master intermediate number with the 
second secret number to generate the master processed 
number. 20 

The step of combining the random number with the first 
secret number in the selected remote and master units 
preferably includes the step of exclusive OR-ing the random . 
number with the first secret number in the master and ^ 
selected remote units. Also preferably, the remote and mas- 
ter intermediate numbers are combined with the second 
secret number by an encrypting step using the second secret 
number as the encrypting key. In a highly preferred method, 
the encrypting step is conducted using DES encryption. 3Q 

The step of establishing initial contact may further include 
the step of transmitting an identification number from the 
selected remote unit to the master unit and recalling in the 
master unit the first and second secret numbers associated 
with that identification number. 35 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is an example of a prior art key distribution system; 

FIG. 2 is a flow chart illustrating a method of key w 
distribution in accordance with one aspect of the present 
invention; 

FIG. 3 is a schematic diagram of a key distribution system 
for performing the method of FIG. 2; 

FIG. 4 is a flow chart illustrating a method for authenti- 45 
eating the identity of a remote unit in communication with 
a master unit in accordance with another aspect of the 
present invention; and 

FIG. 5 is a schematic diagram of an authentication system 
for performing the method of FIG. 4. 5° 

DET AILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Referring now to FIG. 3, a schematic diagrarn of a key 55 
distribution system in accordance with the present invention 
is illustrated. The key distribution system includes a master 
unit 200 and a remote unit 250 which, after installation and 
set up, are in communication with one another through 
communications channel 240. Communications channel 240 go 
can comprise many different forms such as regular telephone 
lines, satellite links, local area networks, free space trans- 
mission, etc. 

Master unit 200 includes a random number generator 
(RNG) 202 for generating a random number R, preferably of 63 
8 bytes, which is stored in R memory 204. Random number 
generator 202 is also used to generate a random number, 
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preferably of 8 bytes, to be used as the new communications 
key which is stored in new key memory 206. Master unit 200 
is further provided with secret number (SN) memories SN1 
memory 208 for storing a first secret number SN1, and SN2 
memory 210 for storing a second secret number SN2. Secret 
numbers SN1 and SN2 preferably have a length of 8 bytes 
each. Master unit 200 also includes a conventional DES 
encryption unit 212, such as DES unit Am9518 sold by 
Advanced Micro Devices of Sunnyvale, Calif., and XOR 
(exclusive-OR) gates 214 and 216. A single XOR gate may 
also be used in master unit 200 for all necessary XOR 
operations. 

Remote unit 250 of the key distribution system likewise 
includes SN1 and SN2 memories 252 and 254 for storing 
first and second secret numbers SN1 and SN2, respectively, 
conventional DES encryption unit 256, XOR gates 258 and 
260 (which can be combined into one gate) and decrypted 
new key memory 262. Remote unit 250 also includes one 
way data port 301 connected to SN1 and SN2 memories 252 
and 254. Transport battery 304 is also provided within 
remote unit 250 and is connected to SN1 and SN2 memories - 
252 and 254. An arming lanyard 306 is connected to node 
308 and when released will disengage transport battery 304 
from SN1 and SN2 memories 252 and 254. When installed 
in its intended location, remote unit 250 is powered by 
external power supply 320. * 

The operation of the key distribution system shown in 
FIG. 3 is as follows. Initially, prior to any key changes, 
remote unit 250 is "enrolled" with its secret number pair 
SN1 and SN2. Master unit 200 likewise is initially provided 
with the same two secret numbers SN1 and SN2. To enroll 
remote unit 250, secret numbers SN1 and SN2 are first 
loaded in SN1 and SN2 memories 208 and 210, respectively, 
of master unit 200. Secret numbers SN1 and SN2 may be 
retrieved from a secret number memory bank (not shown) 
containing secret number pairs of all remote units used in the 
system. SN1 and SN2 then may be enrolled into SN1 and 
SN2 memories 252 and 254 in remote unit 250 before 
remote unit 250 is taken to the remote site. In order to enroll 
remote unit 250 with its secret numbers SN1 and SN2, an 
enroller 302 may be provided to allow SN1 and SN2 to be 
securely read out from SN1 and SN2 memories 208 and 210 
in master unit 200 and into SN1 and SN2 memories 252 and 
254 of remote unit 250. 

Enroller 302 preferably consists of a cable and plug and 
connects master unit 200 with remote unit 250 only during 
the enrolling process. Remote unit 250 is provided with a 
one-way data transfer port 301, such as an ASCII port used 
only for enrolling the remote unit 250. One-way transfer port 
301 provides additional security by not allowing SN1 and 
SN2 or any other data to be read out through that port 

After remote unit 250 is enrolled, SN1 and SN2 arc stored 
in SN1 and SN2 memories 252 and 254, which consist of 
volatile memory. While taking remote unit 250 to its 
intended remote installation location, volatile SN1 and SN2 
memories 252, 254 are temporarily maintained by way of 
transport battery 304 since remote unit 250 is not yet 
connected to external power supply 320. Transport battery 
304, however, is detachable from memories 252 and 254 by 
the removal of arming lanyard 306 which breaks the trans- 
port battery connection at node 308 once remote unit 250 is 
securely installed in its remote location and connected to 
external power supply 320. Thus, once remote unit 250 is 
installed at its intended remote location and arming lanyard 
306 is removed, any attempts to remove remote unit 250 
from its installed location will cut off external power supply 
320 and will result in the immediate loss of all memory 
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including SN1 and SN2. For further security, remote unit 
250 is preferably provided with a tamper-proof housing such 
that any attempt to physically penetrate remote unit 250 
without removing it will also cut off the external power 
supply and destroy all memory. 5 

Once remote unit 250 is enrolled with SN1 and SN2 and 
installed in its intended remote location, the new commu- 
nications key is generated and distributed as follows. In 
master unit 200, random number generator 202 first gener- 
ates a new key which is then stored in new key memory 206. 10 
Random number generator 202 also generates a random 
number R which is stored in R memory 204. Random 
number R and SN1 are then sent to XOR gate 214 and 
XOR-ed to produce a first intermediate number A. First 
intermediate number A is then encrypted by DES encryption 5 
unit 212 using SN2 as the encryption key, thereby generating 
a second intermediate number K. Second intermediate num- 
ber K is then XOR-ed at XOR gate 216 with the new 
communications key stored in new key memory 206 to 
generate a transmission number G in master unit 200. 
Transmission number G is then sent together with random 
number R over communications channel 240, e.g„ over a 
phone line, satellite link, etc., to remote unit 250. 

At remote unit 250, the process is then reversed in order 
to recreate the new communication key to be used. In this ^ 
regard, transmission number G and random number R are 
initially received from master unit 200. Random number R 
is then XOR-ed with SN1 at XOR gate 258 to recreate first 
intermediate number A. First intermediate number A is then 
encrypted at DES encrypdon unit 256 using secret number 3Q 
SN2 as the encryption key. The result of the encryption 
operation is the recreation of second intermediate number K, 
which is then XOR-ed with transmission number G at XOR 
gate 260 in order to decrypt and recreate the new commu- 
nications key, which subsequently may. be stored in 35 
decrypted new key memory 262, Once remote unit 250 has 
recovered the new communications key, remote unit 250 and 
master unit 200 may safely communicate with one another 
other by encrypting messages with the common communi- 
cations key known only to the master and remote units. ^ 

The advantage of this key distribution system lies in the 
fact that a new communications key can be sent as often as 
desired from the master unit to the remote unit, and even if 
an unauthorized party can somehow manage to decipher the 
particular key in use, knowing that key will not yield the first 45 
and second secret numbers SN1 and SN2 which are unique 
to each remote unit and used in all key changes. As a result, 
a new key can be distributed with such a high frequency that 
it would not be useful to attempt to decrypt the key since that 
key will shortly be changed and thereafter will be useless, so 
Therefore, in order to break the system, a would-be attacker 
would have to attempt to obtain the two secret numbers. The 
new key is preferably distributed on a periodic basis about 
every hour, and more preferably less than every 15 minutes. 
Most preferably, the new key is distributed about every three 55 
minutes. 

Assuming that the would-be attacker is even able to 
determine the second intermediate number K, it is virtually 
impossible to obtain both secret numbers. Knowing K, the 
attacker would have to find two numbers (secret numbers 60 
SN1 and SN2) such that SN1 XOR-ed with R and then 
encrypted using SN2 as the key, will yield intermediate 
number K. The problem is that there are 2 120 possible 
combinations of which no less than 256 appear to work since 
SN1 XOR-ed with R and encrypted using SN2 will yield the 65 
communications key when tested against the message. How- 
ever, only one of these 256 combinations is actually correct. 
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and only the correct combination will work with subsequent 
key changes. Since a new communications key is preferably 
transmitted every few minutes, it is virtually impossible for 
the attacker to break the system. 

Although FIG. 3 only illustrates a single remote unit, it 
should be appreciated that multiple remote units may be 
used in the system, with each remote unit having its own 
unique secret numbers SN1 and SN2 which can be ascer- 
tained in the master unit when the master unit effectuates a 
key change to each remote unit. 

The key encryption system of the present invention is 
useful not only to protect communications between a sender . L 
and a receiver where the primary consideration is concealing 
the content of the message being sent, but is also extremely 
useful in security systems where the content of the message 
is typically known. Such "messages", including card swipes, 
the opening of doors, etc., must be protected from being 
aliased, i.e., false messages being sent to deceive the master 
unit. 

Referring now to FIG. 2, a flow chart of the method of the 
present invention is shown. As can be seen, a random 
number R is first generated in the master unit and then 
XOR-ed with SN1 to produce first intermediate number A. 
First intermediate number A is then encrypted with SN2 (by 
DES encryption) to produce second intermediate number K. 
Second intermediate K is then XOR-ed with the new key to 
be sent to produce the transmission number G. The master 
unit then sends transmission number G and random number 
R to the remote unit. The remote unit then reverses the 
sequence by XOR-ing random number R with SN1 to 
recreate first intermediate number A. First intermediate 
number A is then encrypted with SN2 (by DES encryption) 
to produce second intermediate number K. Second interme- 
diate number K is then XOR-ed with transmission number 
G to recreate the new communications key to be used in 
subsequent communications. Preferably, a new key is sent 
out as frequently as necessary, such as every three minutes, 
other predetermined periodic time intervals such as every 15 
minutes or every hour, or even at random time intervals. 

Turning now to FIG. 5, a system for authenticating the 
identity of each remote unit, such as a cellular telephone unit 
in a system of remote units in communication with a master 
unit, is shown in schematic form. The identification system 
includes a master unit 400 and at least one remote unit 450 
which are in communication with one another through 
communication channel 440. 

Master unit 400 includes a random number generator 402 
for generating a random number R which can be stored in R 
memory 404. Master unit 400 is further provided with secret 
number (SN) memories SN1 memory 408 for storing first 
secret number SN1, and SN2 memory 410 for storing second 
secret number SN2. Secret number pain SN1 and SN2 are 
provided for each remote unit 450, and therefore, master unit 
400 can include a master ID memory 406 to store all of the 
secret numbers SN1 and SN2 for each remote unit in the 
system. Master unit 400 also includes a conventional DES 
encryption unit 412, XOR gate 414, and comparison circuit 
416 used for comparing a pair of numbers to determine 
whether they are the same. 

Each remote unit of the identification system, such as 
remote unit 450, includes SN1 and SN2 memories 452 and 
454 for storing first and second secret numbers SN1 and 
SN2, unique to that remote unit respectively. Remote unit 
450 also includes a conventional DES encryption unit 456, 
XOR gate 458 and remote ID memory 460 which stores the 
unique identification number of the particular remote unit in 
the system. 
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The operation of the system shown in FIG. 5 for authen- 
ticating the identity of each remote unit in the system is as 
follows. Master unit 400 is initially provided with all of the 
pairs of secret numbers, SN1 and SN2, for all of the remote 
units in the system. These secret numbers are stored in 
remote ID memory 406. The secret numbers of each remote 
system may then be enrolled into SN1 and SN2 memories 
452 and 454 of each remote unit. In this manner, remote unit 
450, for example, can be enrolled with its unique secret 
numbers SN1 and SN2 as previously explained in the key 
distribution system of the present invention, i.e., by provid- 
ing a one way transfer port in remote unit 450 for one way 
downloading of the secret numbers SN1 and SN2. In addi- 
tion, remote unit 450 may also be provided with additional 
security measures as described above in the key distribution 
system, including volatile memory 452 and 454 maintained 
only by way of a transport battery, the connection to which 
can be broken by the use of an arming lanyard or similar 
device once remote unit 450 is connected to an external 
power supply, such as a car battery. In this manner, remote 
unit 450 should also be tamper-proof such that any attempts 
to ascertain SN1 and SN2 will result in the immediate loss 
of these numbers from memory. 

After remote unit 450 is enrolled with SN1 and SN2 and 
installed in its intended remote location, initial contact must 
be established between master unit 400 and remote unit 450. 
For example, in a cellular phone system, this could be 
established when the sender of the call from remote unit 450 
initially dials and sends a telephone number. With the 
telephone number, remote unit 450 can send its unique 
identification number, stored in ID memory 460, which will 
then be received in master unit 400. Once master unit 
receives the identification number, it then can look up the 
secret numbers SN1 and SN2 for remote unit 450 as iden- 
tified by its unique identification number. With SN1 and SN2 
of the remote unit 450, random number generator 402 
generates a random number R which is stored in R memory 
404. Random number R is then sent from master unit 400 to 
remote unit 450 in which it is received and XOR-ed with 
SN1 at XOR gate 458. This XOR operation produces a first 
intermediate number A which is then encrypted by DES unit 
456, using SN2 as the encryption key, to thereby generate a 
remote processed number RPN. 

At the same time, in the master unit 400 the same random 
number R is likewise XOR-ed with SN1 at XOR gate 414 
producing intermediate number A, which is in turn 
encrypted by DES unit 412 using SN2 as the encryption key. 
The result is a master processed number MPN. The remote 
unit 450 then transmits RPN to master unit 400 where it is 
compared with MPN at comparison circuit 416, such as by 
the use of one or more XOR gates in order to determine 
whether they match. If MPN equals RPN, then the remote 
unit is authenticated and the call is allowed to proceed. 

Turning to FIG. 4, a flow chart of the method of authen- 
ticating the identity of a remote unit is shown. Thus, initial 55 
contact is first established between the master and remote 
units and the identification number of the remote unit is sent 
to the master unit. The master unit then uses the identifica- 
tion number to locate SN1 and SN2 for the identified remote 
unit Next, a random number R is generated in the master go 
unit which is then transmitted to the remote system. The 
remote unit, which already has stored first and second secret 
numbers SN1 and SN2, processes random number R using 
these secret numbers to generate a remote processed number 
RPN. 

The same processing of the random number R occurs in 
the master unit using the secret numbers SN1 and SN2 of the 
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identified remote unit. The remote unit then transmits the 
remote processed number RPN to the master unit where the 
master processed number MPN is compared to the remote 
processed number RPN to authenticate the identity of the 
remote unit If RPN and MPN match, then the remote unit 
is authentic since only the remote unit will be able to 
recreate a remote processed number equal to the master 
processed number by the use of secret numbers SN1 and 
SN2. 

Preferably, the processing of the random number in both 
the master and remote units is accomplished by first XOR- 
ing random number R with SN1 to produce an intermediate 
number A, although other logical and arithmetic operations 
may be used, such as multiplication and truncation, so long 
as the same operation is performed both in the master and 
remote units, or if different operations are used, so long as 
the differences in the operations are accounted for in the 
master and/or remote units. Intermediate number A is, in 
turn, encrypted using SN2, preferably using DES encryp- 
tion, to generate the remote and master processed numbers 
for comparison. 

It should be apparent to those of ordinary skill in the art 
that all of the operations described herein can be carried out 
under the control of a microprocessor or CPU and using 
readily available electronic and IC components. Moreover, 
although DES encryption is preferred for encrypting opera- 
tions in accordance with the present invention, other 
encrypting operations can be used, such as matrix, table 
look-up, etc. 

Although the invention herein has been described with 
reference to particular embodiments, it is to be understood 
that these embodiments are merely illustrative of the prin- 
ciples and applications of the present invention. It is there- 
fore to be understood that numerous modifications may be 
made to the illustrative embodiments and that other arrange- 
ments may be devised without departing from the spirit and 
scope of the present invention as defined by the appended 
claims. 

What is claimed is: 

1. A system for securely distributing a communications 
key from a master unit to a remote unit, comprising: 
memory means for storing first and second secret numbers 

in the master unit; 
random number generating means for providing a random 

number to the master unit; 
first combining means in the master unit for combining 
said random number with said first secret number to 
produce a first intermediate number; 
second combining means in the master unit for combining 
said first intermediate number with said second secret 
number to produce a second intermediate number; 
third combining means in the master unit for combining 
said second intermediate number with the communica- 
tions key to produce a transmission number; 
communication means for transmitting signals between 

the master and remote units; 
memory means for storing said first and second secret 

numbers in the remote unit; 
first combining means in the remote unit for combining 
said random number with said first secret number to 
produce said first intermediate number, 
second combining means in the remote unit for combining 
said first intermediate number with said second secret 
number to produce said second intermediate number, 
and 
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third combining means in the remote unit for combining 
said intermediate number with said transmission num- 
ber to produce the communications key. 

2. The system as claimed in claim 1, wherein said second 
combining means in the master unit and said second com- 
bining means in the remote unit include encryption means 
for encrypting said first intermediate number using said 
second secret number as an encrypting key. 

3. The system as claimed in claim 2, wherein said 
encryption means uses DES encryption. 

4. The system as claimed in claim 1, wherein said first 
combining means in the master unit and said first combining 
means in the remote unit include means for exclusive 
OR-ing said random number with said first secret number. 

5. The system as claimed in claim 1, wherein said third 
combining means in the master unit includes means for 
exclusive OR-ing said second intermediate number with the 
communications key and said third combining in the remote 
unit includes means for exclusive OR-ing said second inter- 
mediate number with said transmission number. 

6. The system as claimed in claim 4, wherein said third 
combining means in the remote unit includes means for 
exclusive OR-ing said second intermediate number with said 
transmission number. 

7. The system as claimed in claim 1, further comprising 
enrolling means for securely copying said first and second 
secret numbers from the master unit into said memory 
means in the remote unit. 

8. A method for securely distributing a communications 
key from a master unit to a remote unit, comprising the 
steps of: 

(a) storing first and second secret numbers in the master 
and remote units; 

(b) generating a random number and storing said random 
number in the master unit; 

(c) combining said random number with said first secret 
number to produce a first intermediate number in the 
master unit; 

(d) combining said first intermediate number with said 40 
second secret number to produce a second intermediate 
number in the master unit; 

(e) combining said second intermediate number with said 
communications key to produce a transmission number 
in the master unit; 

(f) transmitting said transmission number and said ran- 
dom number from the master unit to said the remote 
unit; 

(g) receiving said transmission number and said random 
number in the remote unit; 

(h) combining said random number with said first secret 
number to produce said first intermediate number in the 
remote unit; 

(i) combining said first intermediate number with said 53 
second secret number to produce said second interme- 
diate number in the remote unit; and 

(j) combining said second intermediate number with said 
transmission number to produce said communications 
key in the remote unit. 

9. The method as claimed in claim 8, wherein said step of 
combining said first intermediate number with said second 
secret number in the master and remote units includes the 
step of encrypting said first intermediate number using said 
second secret number as an encrypting key. 

10. The method as claimed in claim 9, wherein said 
encrypting step comprises DES encryption. 
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11. The method as claimed in claim 8, wherein said step 
of combining said random number with said first secret 
number in the master and remote units includes the step of 
exclusive OR-ing said random number with said first secret 
number. 

12. The method as claimed in claim 8, wherein said step 
of combining said second intermediate number with said 
communications key in the master unit includes the step of 
exclusive OR-ing said second intermediate number with said 
communications key and said step of combining said second 
intermediate number with said transmission number in the 
remote unit includes the step of exclusive OR-ing said 
second intermediate number with said transmission number. 

13. The method as claimed in claim 11, wherein said step 
of combining said second intermediate number with said 
communications key in the master unit includes the step of 
exclusive OR-ing said second intermediate number with said 
communications key and said step of combining said second 
intermediate number with said transmission number in the 
remote unit includes the step of exclusive OR-ing said 
second intermediate number with said transmission number. 

14. The method as claimed in claim 8, wherein said steps - 
of (b) through (j) are repeated on a periodic basis to change 
said communications key. 

15. The method as claimed in claim 14, wherein said 
periodic basis is about every hour. 

16. The method as claimed in claim 14, wherein said 
periodic basis is less than every 15 minutes. 

17. The method as claimed in claim 14, wherein said 
periodic basis is about every three minutes. 

18. The method as claimed in claim 8, further including 
the step of securely copying said first and second secret 
numbers from the master unit to the remote unit. 

19. A method for authenticating the identity of remote unit 
in a plurality of remote units in communication with a 
master unit, said method comprising the steps of: 

(a) storing in each one of the plurality of remote units first 
and second secret numbers, said first and second secret 
numbers in one remote unit being different than said 
first and second secret numbers in any other remote 
unit; 

(b) storing in the master unit said first and second secret 
numbers of the plurality of the remote units; 

(c) establishing initial contact between the master unit and 
a selected one of the plurality of remote units; 

(d) providing a random number to the master unit; 

(e) transmitting said random number from the master unit 
to said selected remote unit; 

(f) processing said random number in said selected remote 
unit with said first and second secret numbers stored in 
said selected remote unit to generate a remote pro- 
cessed number; 

(g) processing said random number in the master unit with 
said first and second secret numbers to generate a 
master processed number; 

(h) transmitting said remote processed number to the 
master unit; and 

(i) comparing said remote processed number and said 
master processed number in the master unit, whereby 
the identity of said selected remote unit is authenticated 
when said remote processed number is equal to said 
master processed number. 

20. A method as claimed in claim 19. wherein said step of 
processing said random number in said selected remote and 
master units comprises the steps of combining said random 
number with said first secret number to generate an inter- 
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mediate number and combining said intermediate number 
with said second secret number to generate said respective 
remote and master processed numbers. 

21. Hie method as claimed in claim 20, wherein said step 
of combining said random number with said first secret 
number in said selected remote unit and the master unit 
includes the step of exclusive OR-ing said random number 
with said first secret number in the master unit and said 
selected remote unit. 

22. A method as claimed in claim 20, wherein said step of 
combining said intermediate number with said second secret 
number in the master unit and said selected remote unit 
includes the step of encrypting said intermediate number 
using said second secret number as an encrypting key. 

23. The method as claimed in claim 22, wherein said 
encrypting step comprises DES encryption. 

24. The method as claimed in claim 19, wherein said step 
of establishing initial contact comprises the steps of trans- 
mitting an identification number from said selected remote 
unit to the master unit and recalling in the master unit said 
first and second secret numbers associated with said iden- 
tification number identifying said selected remote unit. 

25. A system for authenticating the identity of a remote 
unit in a plurality of remote units in communication with a 
master unit, comprising: 

remote memory means for storing in each one of the 
plurality of remote units first and second secret num- 
bers, said first and second secret numbers in one remote 
unit being different than said first and second secret 
numbers in any other remote unit; 

master memory means for storing in the master unit said 
first and second secret numbers of the plurality of the 
remote units; 

contact means for establishing initial communication 

between the master unit and a selected one of the 

plurality of said remote units; 
random number generating means for providing a random 

number to the master unit; 
communications means for transmitting signals between 

the master and remote units; 
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remote processing means for combining said random 
number in said selected remote unit with said first and 
second secret numbers stored in said selected remote 
unit in said predetermined manner to generate a remote 
processed number; 

master processing means for processing said random 
number in the master unit with said first and second 
secret numbers for said selected remote unit stored in 
the master unit in said predetermined manner to gen- 
erate a master processed number; and 

comparison means for comparing said remote processed 
number and said master processed number in the mas- 
ter unit, whereby the identity of said selected remote 
unit is authenticated when said remote processed num- 
ber is equal to said master processed number. 

26. The system as claimed in claim 25, wherein said 
remote processing means and said master processing means 
comprise first combining means for combining said random 
number with said first secret number to produce an inter- 
mediate number and means for combining said intermediate 
number with said second secret number to produce said 
respective remote and master processed numbers. 

27. The system as claimed in claim 26, wherein said first 
combining means in said selected remote and master units 
include means for exclusive OR-ing said random number 
with said first secret number. 

28. The system as claimed in claim 26, wherein said 
second combining means in said selected remote and master 
units include encryption means for encrypting said interme- 
diate number using said second secret number as an encrypt- 
ing key. 

29. The system as claimed in claim 28, wherein said 
encryption means uses DES encryption. 

30. The system as claimed in claim 25, wherein said 
contact means comprises transmission means for transmit- 
ting an identification number from said selected remote unit 
to the master unit. 

31. The system as claimed in claim 25, wherein said 
selected remote unit comprises a cellular telephone. 
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